Your guide to UPI — the world’s most advanced payments system

This is not hyperbole. India just crushed it!

Authors: Sasi Desai, Nipun Jasuja, Piyush Khandekar

Image source: digitalindiapayments.com

“The payment for sins can be delayed, but it cannot be avoided” — Shawn Ryan

Since the dawn of human civilization, payments systems have driven progress. Arguably, the start of ‘society’ as we know it can be traced back to the first set of payments ever made.

Man would hunt beast for food and trade it for clothing. As civilization progressed, simple barter became passé and new payments systems emerged, promising improved speed and ease of use. And so we moved from barter to cowry shells to gold to currency. The advent of computers marked the beginning of digital transactions, and a new infrastructure soon emerged to support digital payments.

As our payment solutions evolved, so did our societal structures — from an era where everyone was equal in a community to a society torn apart based on level of access to the formal economy. India is one such land of economic extremes. It sits in the top five list for two categories — (i) maximum number of billionaires, and (ii) maximum number of people living under poverty. In recent years, India’s rapidly growing GDP has created a chasm between a rich minority and a poor majority. The top 1% of India controls over 50% of its wealth, while the bottom half of the country barely scrapes by on 4% of the wealth. This level of inequality is unmatched anywhere in the world (except for South Africa).

It is in this context that one must understand the payments infrastructure in India. And it is this context that makes the current payments innovation in India so revolutionary. In a short span of time, the Indian government has catapulted the country’s payments infrastructure into one of the most advanced, innovative, and financially inclusive platforms in the world.

What exactly is this payments infrastructure? And what is so revolutionary about it? The unofficial rulebook of writing primers dictates that we start by explaining the current landscape.

Current landscape

India’s digital payments landscape only got going in the early nineties. With the cold war over, India decided to liberalize its economy, moving away from its socialist past. From a digital payments perspective, one of the first steps that the Indian government took was to establish an Electronic Clearing Service (ECS) to handle periodic / bulk payments (think salary payments, dividend disbursements, etc.).

Given India’s economic diversity, ECS did not prove to be sufficient. New payments systems (or “rails”) were established as needed and India soon ended up with an alphabet soup of payments systems. In addition to Visa and Mastercard, India now has the following payments rails, managed by the National Payments Corporation of India (NPCI).

Despite the government’s best efforts, the payments systems established were not entirely inclusive or comprehensive. Certain sections of the society (typically, urban, upper middle class) kept pace with the cutting edge payments systems, while other parts of India struggled with financial inclusion. Payments rails simply could not be deployed to the large swaths of India that were not on the grid. The gap between the privileged and the not-so-privileged continued to persist. To date, less than 2% of the country is in the formal economy (i.e., files taxes), and around 95% of all transactions are conducted purely in cash.

Catalysts for change — the JAM initiative

As NPCI pondered over this conundrum, three important trends emerged in India.

1. Aadhaar provided (almost) every Indian with a digital identity. In 2010, India launched a program called Aadhaar, the world’s most ambitious national identity project. Its objective was to catapult India into an era where every resident has a permanent, unique, and secure digital identity based on biometric and demographic data. By March 31, over 1.1 billion members were enrolled in Aadhaar, which is more than 92% of the country’s population.
2. Mobile penetration surged. Around the same time, cell phone adoption took off massively. India now has north of 200 million smartphone users and more than a billion mobile (smart + feature) phone subscribers. That’s billion with a ‘B’. These mobile subscriptions are tied to an identity number (given India’s KYC requirements) and thus most are tied to an Aadhaar card.
3. Jan-Dhan improved access to banking and financial services. In 2014, the Indian government launched a financial inclusion program, known as the Prime Minister’s Jan-Dhan Yojana (PMJDY), aimed at ensuring access to financial services such as savings and deposit accounts, remittance, credit, insurance, and pension in an affordable manner. By February 2017, 270 million bank accounts were opened and US $10 billion were deposited under this scheme.

The Indian government was quick to realize that there were immense benefits in having the three trends intersect, and so it created the JAM (Jan-Dhan Aadhaar Mobile) initiative to link bank accounts, Aadhaar numbers, and cell phone numbers. The initial idea was for the government to use the trinity for executing welfare programs.
— Want to disburse social security payments? Push a button.
— Want to subsidize groceries for the masses? Directly transfer to the recipient’s bank account.

To achieve this vision, new payments rails would be needed. And so the payments alphabet soup got richer — APBS and AEPS were envisioned.

The motivation for a payments revolution

By 2015 -2016, the excitement around mobile penetration in India had reached a frenzy and the Indian market was bombarded with mobile-first businesses. From e-commerce to entertainment to the sharing economy, mobile businesses were taking off, and with them, so was the demand for digital payments.

Seeing the economic potential of making payments easy and accessible, the government issued charters for several “payments banks” (banks that could provide basic deposit and payment services, but could not lend money) in 2015. These licenses were primarily issued to existing private corporations which had broad customer reach but did not yet play a formal role in financial services.

As an example, one of the recipients of the license was India’s postal system — the most widely distributed postal system in the world, with unparalleled reach into the most remote corners of the Indian economy. This essentially converted the postal network into a platform for providing banking services. Licenses were also issued to telecom providers with a similar rationale. The goal of creating this infrastructure was to address the 5 C’s that underpinned the vision for payments in India; Coverage, Convenience, Confidence (integrity and security), Cost, and Convergence.

The demonetization exercise of November 2016 acted as a further catalyst to adoption of digital payments. Mobile wallets exploded nationwide and captured the mindshare of the urban elite. It appeared that India was leapfrogging plastics in favor of mobile wallets (to be fair, during this time plastics were growing at a breakneck pace too).

Let’s go back to our friends at the NPCI now. As they sat and pondered over the issue of financial inclusion, it was this fifth ‘C’ — Convergence — that posed a daunting challenge. The diverse requirements of the Indian economy necessitated the broad array of options for enabling payments, but it was all becoming a bit too much. The payments systems in place weren’t seamlessly interoperable.

Take mobile wallets. Say you have money on your Paytm account but your friend uses a different wallet (Citrus Pay). How do you transfer money between these two wallets? Right now, the only option is a somewhat convoluted payments chain:

Your Paytm wallet → your bank → your friend’s bank or your CitrusPay wallet → your friend’s CitrusPay wallet.

Post offices, telecom providers, mobile wallets of different kinds, Aadhaar- enabled welfare payments, and the alphabet soup of existing payments rails — India truly had a patchwork quilt of a financial system. It was crucial to break the silos and integrate the platforms.

Imagine a world where Vodafone customers could only talk to other Vodafone customers, and it took three days to talk to a customer on another telecom provider. It is crazy that across the world, the equivalent of that is happening with monetary transactions. Sure, wallet transfers within the same wallet are instantaneous, but beyond paying a friend for coffee, the utility of such transfers is minimal.

Given the patchwork quilt, what India needed was standardized protocols using which different bank, bank-like, and non-bank entities could talk to one another.

Hence UPI was born.

Enter UPI

Unified Payments Interface, or UPI (this is important, remember this acronym), was created with the sole purpose of enabling interoperability. It is a platform that is simultaneously backward compatible and future proof — a common language.

But as is usually the case with well designed systems, UPI ended up unleashing a tsunami of economic potential along the way. To understand why UPI is as powerful as it is, and how it completely changes the payments landscape, we must first understand how any payments system operates. Time for another detour.

A brief detour into current payment gateways

Any two-way payment transaction starts with the need for an entity (the sender) to transfer value to another entity (the receiver). Both the sender and the receiver could be individuals, merchants, or government organizations. While cash has worked well in the past, there are several scenarios where cash is not the optimal solution for transfer of value. To use any other form of payment transaction, the following requirements must be met:

1. Sender Authentication

The sender of the payment must authenticate his or her identity. i.e., prove to the banks that they are who they claim to be. In India, this takes the form of two-factor authentication. Each payment must be accompanied by two different conformations from the sender. Authentication comes in three distinct categories:

2. Receiver Identification

The recipient of the payment must be successfully identified. This usually involves knowing the recipient’s name, bank information, and account number. Current payments solutions address this need in their own unique ways. For example:

• Credit / debit card point of sale (POS) system: These systems are usually pre-linked to a merchant’s account in a specific bank, and thus they contain the required receiver information
• Mobile wallets: Wallets temporarily store currency, until the receiver decides to withdraw the cash bank to his or her bank account. At this point, receivers are required to provide their bank and account information
• Bank wires (e.g., NEFT): The receiver and sender usually have to know each other beforehand, and the receiver gives the sender the required bank and account information so that the sender may initiate the payment

3. Authorization

Once the sender has been authenticated and the receiver has been identified, the bank goes ahead and authorizes the transaction. This process involves sending the following information to the payments rails: transaction value, sender ID and receiver ID.

4. Transaction (Value Transfer)

This is where the payments rails come in. Information from the authorization step and actual monetary value travel over the rails.

These steps have been summarized in the following diagram.

All looks good? Not quite.

Pain points of current payment systems

There are several shortcomings in the existing infrastructure that can make payments insecure, tedious, and unfriendly.

1. Security at the infrastructure level

Security is a concern at each step of the transaction. Safe transmission of information is not a core competency of banks and current protocols to transmit and authenticate sender’s identity are plagued by security concerns. Placing the burden of two-factor authentication on banks leads to reliance on insecure communication channels and a non-standard authentication process across different institutions.

2. Interoperability

This is arguably the biggest drawback of the multitude of perfectly functional payments systems that have organically sprung up over the years. It is impossible to get various entities (all relying on different rails) to talk to each other. The interoperability issue comes in three flavors.

• Inter-temporal operability: A few of the current payments rails (e.g., Visa, Mastercard) take several days to process transactions. This ties up working capital and constrains businesses. For example, a merchant cannot pay his supplier for days, even though he has already been paid by his customers. And these delays cascade upstream, slowing down the economy.
• Inter payments-system operability: Two people on different payments systems cannot ‘transact’ seamlessly. For example, I cannot transfer money from my Paytm Wallet to my Mobikwik wallet. Solving this would be a big move towards financial inclusion. A similar, albeit less critical problem applies when you have more than one bank account but cannot access your own money in one of the accounts from another account.
• API-functionality: A third party ecosystem that seamlessly integrates with existing payment rails is currently absent due to the underlying compelxity. For example, a tax-filing and inventory management system that is integrated to the point-of-sale system would be a boon to merchants, but lack of a single interface to merchant payments (given the plethora of options) is preventing the development of this rich ecosystem of value added services.

3. Ease of Use:

While a multitude of payment options exist across credit cards, online banking and mobile wallets, the current systems are not easy to use and have too many friction points.

• Interoperability: see above
• Trust Barrier: In the current ecosystem, if you are paying a peer from your bank, you need their name, account number, bank information and account type. This acts as a barrier to transactions between strangers. Similarly, paying a merchant online requires you to trust the merchant to keep your bank account or credit card information secure.
• Push-only transactions: The current payment methods are “push systems”. This means that you can only send money to another entity (i.e., a person or merchant) but cannot request money from them. Typically, transactions in daily life are both pull and push. A pull transaction would be one where you paid for dinner for both you and your your friend but now need to request money back from her. In today’s world, pull transactions are not possible. You instead need to send reminder payment messages to your friends, which are not only inconvenient but also inefficient.

Back to UPI

Phew! After all the detours, here is a quick recap the context in which the UPI was conceived.

• There was an alphabet soup of payments systems already in place and each served a unique need that could not be met otherwise
• Each of these payments systems had to meet strict sender authentication and receiver identification requirements
• There was no common language to standardize the authentication and identification process, or to enable various bank, bank-like, and non-bank entities to seamlessly talk to one another
• Cell-phone adoption was rapidly rising in the country

This context and the resulting pain points were the backdrop in which UPI was developed. Through a set of application programming interfaces (APIs), UPI linked disparate user interfaces, provided seamless authentication and authorization, and ultimately ensured interoperability among existing players. The APIs provided by UPI enable two enitities to execute a payments transaction by exchanging the bare minimum amount of information required.

Let us see how this works in practice.

1. Sender Authentication:

Standardization of digital identity

Currently, the burden of two-factor sender authentication is placed on the payment service provider (PSP). PSPs are government authorized entities that provide the front-end infrastructure (e.g., app or website) for sending and receiving payments. For now, PSPs are traditional and payment banks. But in the future, additional third parties could become licensed PSPs too.

Today, each PSP follows its own authentication process. While certain authentication guidelines exist (e.g., the requirement of using at least two factors), the actual processes can be remarkably different. Upon authenticating the sender using two-factor authentication, PSPs are able provide the sender access to his own funds housed within the PSP (this is an important point that we will come back to shortly: in the pre-UPI world, if State Bank of India (SBI) were the PSP, it can only provide the sender access to his funds sitting in an SBI account, but not in the account of some other bank).

UPI standardizes this two- factor authentication process by leveraging the Aadhaar infrastructure.

The first factor is authenticated by the PSP using regular authentication credentials for the PSP, which usually takes the form of possession (credit card or cell phone) or knowledge (login details).

The second factor is authenticated by UPI itself, which standardizes the process and takes the burden away from PSPs. This secondary authentication is based on either inherence or knowledge.

• Inherence: NPCI validates the biometrics (Iris scan / fingerprint) collected by the PSP and returns a simple yes / no response. For this, it leverages the existing Aadhaar infrastructure
• Knowledge: In instances where biometric-based authentication is not feasible (e.g., feature phones / websites, etc), NPCI validates identity using a 4–6 digit numeric PIN that is set up the first time the sender uses UPI

Taking on the responsibility for the second factor gives NPCI two advantages. Firstly, this normalized authentication leads to a modularization of the payments architecture. Banks and other PSPs are no longer on the hook for authentication, which was never their forte.

More importantly, it provides NPCI with some serious interoperability leverage. Because NPCI personally validated the authenticity of the sender, it can now provide the PSP (and the sender through the PSP) with access to any of the sender’s funds sitting on the UPI infrastructure (not just the ones housed under the current PSP).

Think about that for a moment.

UPI can now provide you with access to your funds lying in an account on any UPI-backed system. Essentially, this converts all PSPs into portals to your financial world.

• Say you need to make your monthly rent payment and open ICICI bank’s UPI app on your smart phone. As you proceed with the payment , you realize that you do not have sufficient funds in your ICICI bank account. Worry not! You simply select your SBI account for fund transfer without leaving the ICICI app. Your landlord gets the payment instantaneously. Life is good.
• Or say you are making a mortgage payment through your cell-phone app and remember that you need to move your tax refund to your investment account. Again, go for it without even needing to step out of the app! Think of the financial innovation this will precipitate.

Rigorous two-factor authentication ensures that security is never an issue. In fact, the scope for innovation using APIs in payments technologies is so big that in late 2015, Europe decided to implement its own set of protocols to enable interoperability. The second iteration of the Payments Services Directive (PSD2) is a step towards creating a single digital market for payments in Europe. You can read about how PSD2 is set to transform the European payments landscape here.

2. Receiver Identification:

Simplification of recipient information

In the current payments ecosystem, different systems require you to provide different types of information about the recipient, and the information required is usually quite sensitive (e.g., bank account number, address, etc.), acting as a barrier for digital transactions.

UPI attempts to simplify this by defining two types of payments IDs:

1. Global identifiers — This includes the sender’s or receiver’s Aadhaar number and/or mobile number, and bank account number.
2. Virtual Payment Addresses (or VPA) — “Virtual Payment Address” is an identifier issued by the PSP (it takes the form of abc@PSP wherein “abc” is a unique username) that you can choose for yourself. Think of VPAs as email addresses that link PSPs to your global identifiers. Customers have the option to create any number of virtual payment addresses for the same PSP. Conversely, a customer can link the same virtual payment address to multiple PSPS.

With UPI, all an entity (sender or receiver) needs to do is share her VPA (or any other global identifier, like her cell phone number), without the need to share any sensitive information. Through the UPI Payment API, different payment rails can now talk to each other using just the VPAs of the sender and the receiver, and all the hard work is done under the hood.

The way this works is — the sender PSP will map the sender VPA to the sender’s payments details and provide these details to NPCI. NPCI, in turn, will fetch the receiver’s payment details from the receiver PSP using the receiver VPA. Once NPCI has all details to process the financial transaction, debit and credit will be processed through an existing payments rail. By acting as a conduit, UPI eliminates the need for trust between the two parties.

So now, to request payment from your friend after dinner, all you need is your friends’ cell phone number or their VPA. You do not need to be on the same platform or payments system as your friend. You can send money from your Paytm wallet to your friend’s Citrust Pay wallet using just the VPAs linked to these wallets.

If you have used Paytm or Venmo, this is basically that.

But it designed for the entire country’s financial system!

3. Authorization:

A two-way street

Simplification and standardization opens up new use cases. One can now enable both push AND pull transactions on payments rails (not just wallets). A pull request can be sent over existing payment rails using the sender’s VPA. The authorization process takes place once the sender authenticates his identity and authorizes the transaction on his end.

4. Transaction (Value Transfer)

The wrapper

This is where the beauty and simplicity of UPI comes to fruition. By standardizing every step of the payments process, UPI enables the use of any existing payments rail to facilitate transactions. While UPI currently leverages IMPS, it can latch onto any other existing payments rail, providing interoperability across every single node in India’s financial system.

The outcome? A truly open and interoperable payments infrastructure which is compatible with all of the existing technologies, and has the potential to integrate newer ones.

Think about how UPI can be used for a merchant transaction in the future. In the world of tomorrow, smartphones will replace physical cards as issuing devices and smartphones will replace slow and clunky POS systems as acquiring devices. Once you are done shopping, the merchant will share her VPA or cell phone number (through a QR code, or a piece of paper taped to the desk), and you will authorize payment to that VPA using your pin / bio-metrics, transferring money instantaneously . No need to worry about which platform the merchant is using. No need for Visa or Mastercard to act as an intermediary. And no need to wait three days for the money to hit the merchant’s bank!

Benefits of UPI

The real benefits of UPI lie not in the individual advantages outlined in each of the steps described above, but in how these advantages stack and work together as a cohesive whole. UPI collapses the existing payments process into a simplified, normalized, authentication mechanism that can be summarized in the following diagram.

By leveraging the growing penetration of mobile phones as the customer user interface / merchant POS, and by using virtual addresses instead of physical cards to reduce both cost of acquisition and issuing infrastructure, UPI substantially reduces costs, making it one of the most inexpensive payments systems in the world.

In a nutshell, UPI leads to a unified, secure, “form independent”, and inexpensive user interface for payments. Before UPI, the only payments system that exhibited this behavior was cold, hard cash. And in a society where 95% of transaction are still based on cash, digital cash will be adopted only if it provides the same level of comfort.

Time again for a quick summary. Let’s see how the various components that we have descibed so far are unified by UPI to provide the same benefits as cash.

1. Aadhaar: Establish a digital identity that covers a billion people
2. Jan Dhan: Establish bank accounts that can be tied to the digital identity above
3. Connectivity: Connect people so they have access to the banking system above through:
   — Mobile: Add telecom providers to the banking network to capitalize on sweeping mobile penetration
   — Postal system: Add the postal system to cater to the segment that is still not using cell phones
4. Rails: Use existing payment rails or build new ones to enable transfer value between individuals and all of the following:
   — 125 thousand bank branches
   — 180 thousand ATMS
   — 400 thousand Banking correspondents
   — 1 million POS Machines
   — 15 million retail outlets
   — 1 billion mobile subscribers

Every single one of these touch points is now a node in the financial network! You can transfer value to, or receive cash from, any of these nodes.

Over a billion ATMs!

UPI takes status quo rails, status quo infrastructure and binds them all together. Such an interoperable system lays the foundation for the conversion of physical cash to digital cash at will, making the need for physical cash obsolete.

This is the real motive behind UPI. It’s fun to make splitting dinner bills easier, but to bring financial inclusion to the masses, one has to make cash go digital in its purest form.

UPI is financial inclusion on steroids!

The comprehensive exhibit below summarizes everything we have talked about in one clean diagram (you may have to click on the picture and zoom in to fully enjoy the magic that is UPI).

Future of Payments

“One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them”

UPI has the potential to completely transform the face of the nation. Imagine, if you will, the following;

• An instantaneous payments system that is as cheap as cash, but infinitely portable and scalable
  — A government that reduces leakages and waste in welfare programs by distributing subsidies and benefits directly to Aadhaar linked accounts
  — An opportunity to bridge the divide between the rich and the poor
• A network of payments without the need for dedicated physical infrastructure
  — A world where poorly designed POS systems are not an excuse to adopting digital currency
  — A nation empowered by the network effects having a billion people leverage the UPI architecture
• A future of P2P payments unencumbered by lack of interoperability
  — A world of e-wallets where payments are made using authentication tools at people’s fingertips
• A basket of UPI powered apps which act a portal to one’s financial world
  — A plethora of value-added services that help people integrate payments with other financial services (e.g., inventory management, wealth management, financial statements, tax filing, etc)
  — A data rich nation that will unleash credit facilities to both individuals and businesses
• A paperless world with limited potential for money laundering, and tax evasion

UPI is enabling the transformation built on the bedrock of Aadhaar. As we discussed in our article on the India Stack, UPI is only one part of the overall digital transformation that India is embarking upon. Coupled with the other initiatives in the India Stack, it has the potential to truly change the country.

We weren’t kidding. India did just crush it.